Jan 17, 2020

Business owners in the hospitality space, specifically accommodation owners, collect personal information from clients for a variety of reasons. The information is used to qualify clients for the rental agreement and to ensure timely payment can be made. Collecting this information aids in recourse should anything go wrong and serves as a level of protection for the business. 

There are two sides to the rental transaction and if a client’s private identifying information falls into the wrong hands, it could lead to fraud or identity theft. Your clients have an expectation of data security and confidentiality when it comes to using and storing their private information. 

Safeguarding clients’ personal information is good business.

State legislatures have enacted laws to help protect consumers’ personal information. The purpose of most data security regulation is to encourage businesses to protect personal information under their control in order to avoid misappropriation of that information. 

Last year was a big year for information security breach. Some of the biggest data breach scandals of 2018 include where one firm harvested the information of 87 million Facebook users. The fitness app Polar exposed the personal information of U.S. Military and Security personnel. Hackers of Marriott’s data retrieved information on 500,000 guests. For victims in the Marriott data breach, the information captured was very detailed including passport information, gender, date of birth, address, phone and email. There were several more notable scandals during the year, but let’s look at what businesses can do to protect client information.

Who has access to your client data and how?

It is important to identify every data access point both within the business and outside of the business. For example, for larger businesses the following departments and vendors may have access to client data: information technology staff, human resources office, accounting personnel, outside service providers and independent contractors. 

Keep in mind that data isn’t always only stored where you think such as a central computer database. Data may also be stored on the software the business uses, the website host, individual employee laptops, discs, mobile devices, in file cabinets, at branch offices, and files that employees have at home or in their vehicle. 

For business software, such as payment processing software, double-check the settings and make sure the software is not set to retain private information permanently. The FTC recommends 

If your business plans to retain client information, such as email addresses for use with future marketing campaigns, be sure to let your clients know what information will be retained and specifically how it will be used. Clients should be able to opt-out if desired.  

How accommodation businesses can protect client data.

The Federal Trade Commission (FTC) developed five, easy-to-remember principles for businesses to follow when creating a data security program.

1. Take stock. 
Take stock refers to inventory of the information. As was mentioned above, what personal information is in files and on business computers? Who has either direct or indirect access to information? Someone wanting to steal data may not have direct daily access. They may work in a nearby department or for a nearby business and only need access at a given point.

One of the best ways to identify points of contact and data capture is to go through the buyer journey yourself. Approach the process as a ‘mystery shopper’. Set up a temporary email and register as a client with your company. Keep an eye on the email for contact from your company.

2. Scale down.  
Businesses aren’t required to keep client data forever. Check with your local tax advisor or business legal counsel to see what, if any information, you need to retain and keep only what you need for your business. If there is a legitimate business need, keep the information only for as long as the need is there. 

3. Pitch it. 
Properly dispose of the information you no longer need. Dumping data from the computer hard drive into the computer ‘trash folder’ may not be legally sufficient for data destruction. The FTC recommends that a business burn, shred, or pulverize paper records and use wipe utility programs or otherwise destroy electronic records.  In fact, thirty-five states have enacted laws that require private entities to destroy, dispose of, or otherwise make personal information unreadable or undecipherable. Failure to do so could lead to significant fines.

4. Lock it
Protect the information that you keep. The FTC recommends four key elements for your protection plan: physical security, electronic security, employee training, ensuring a security practice for contractors and service providers. 

5. Plan ahead. 
Create a plan to prevent security incidents and how you will respond should an incident occur. The following are things to consider including in a data security program. For more information and an interactive tutorial visit: www.ftc.gov/infosecurity.

Physical Security
Electronic Security
Password Management
Laptop Security
Access Controls
Wireless and Remote Access
Detecting Breaches
Employee Training

Planning ahead is the most important step you can take. Ensuring your clients’ information is protected adds an important layer of protection to your business reputation. One mistake could undo years of hard work establishing a trustworthy business reputation.

Below are a few additional resources for building a data security program.

Protecting Personal Information: A Guide for Business (Five Key Principles to a Sound Data Security Program)
Privacy & Data Security: 2018 (actual PDF)
FTC’s 2018 Privacy & Data Security Update: What it means for your business
The Disposal Rule under the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”)
Cyber Security for Small Business
Keep client data safe: 7 tips to protect your clients’ information